Lecture 13: Malware and Malware Detection

목차

Malware (악성 소프트웨어)

Malware: Software that is inserted into a system, with the intent of compromising the confidentiality, integrity, or availability of the victim's data, applications or operating system or otherwise annoying or disrupting the victim.

Types: Viruses, Rootkits, Ransomware, Backdoors, etc

 

 

Classifying Malware

Infection Vector

Infection vector: the method by which a computer virus spreads

The type of vulnerability the malware exploits to infect a host (software vulnerability, download, design flaw, ...)

The method malware uses to propagate (Disks, USB, network, website, ad, ...)

→ 다른 곳으로도 전파 가능

 

Payload

The actions malware takes after infecting

- DDoS, encrypting disk, stealing data, backdoor, ...

 

 

Malware Infection Vectors & Propagation

Malware Infection Vectors

Compromised legitimate websites

- Theft of credentials

- Malicious downloads mobile apps

- Exfiltration of personal information

- Invasive ads

 

IoT Devices

- Rarely patched

- Provide access to private networks of homes and offices

 

Email through phishing or spamming

- Include malicous links or attachments

- Tricks users to send money or reveal passwords with social engineering

- Mass distribution or target to specific users

 

Installed by user:

유저의 의해서 설치된 경우 (앱에 악성 소프트웨어가 숨어 있을 수도 있음)

유저 몰래 설치 됐을 수도 있음 (아니면 잘못 설치)

 

Email

Receiving a malicious executable or link over email

- A malicious executable as an attachment (usually compressed for evading detection and reducing file size)

- A link to a website serving malicious executables

- Attachment has non-executable extension (e.g. gif), but will be executed when opened. 

- Two file extensions are used, and system hides known extensions e.g. image.gif.exe

- Emails with hidden URLs

 

 

In all these cases, the malware is the application or embedded in the application.

Users initiate download and execution of the malware

 

 

Drive by Download

1. User visits a website

2. The website exploits a vulnerability in the browser

3. The compromised browser downloads and installs malware

 

No interaction is required beyond visiting the website, so it's called drive-by

The visited domain does not have to be malicious e.g. may include a malicious ad, or 3rd party content

Exploited vulnerabilities:

- Memory corruptions vulnerabilities in browser or other native-code component (e.g. Flash)

- Plugins that execute code over the network (e.g. ActiveX)

 

 

Exploits Delivered Over Email

Email includes document carrying exploit e.g. PDF, doc

The document exploits a vulnerability in the application used to open it

Or it can include malicious interpreted code e.g. scripts, macros

 

1. Email includes malicious document

2. The user opens the attachment

3. Attachment exploits a vulnerability in the applications used

4. The compromised application downloads and installs malware

 

 

Exploits Against Servers

1. Connect to server port

2. Exploit server vulnerability

3. The compromised server downloads and installs malware

 

 

Virus & Worm

Virus

- Attaches itself to executable files and transfers from one system to the other

- Human-assisted propagation

- Slow spreading (needs to be attached to another application to spread itself e.g. email client)

 

Worm

- Malicious standalone program that replicates itself and can spread to different machines, usually via the network

- Automatic propagation (exploit vulnerabilities in client/server programs and actively seeking out vulnerable hosts to infect)

- Fast spreading due to automatic propagation

 

 

Worms: Network Target Topology

Random

Generate random IP addresses and probe them

 

Local subnet

subnet: 거대한 네트워크를 구성하는 소규모 지역 네트워크들

First scan the local subnet for target

- Bypasses network-periphery defenses

- Faster than random

 

Hit-list

Compile a long list of potentially vulnerable machines

Parts of the list are distributed to "siblings" of the worm

Fast

 

Topological

Learn new targets from infected hosts

 

 

 

Rootkits

A rootkit modifies the operating system to hide its existence e.g. modifies file system exploration utilieis like cd

- Hard to detect using software that relies on the OS itself

 

Rootkit Revealer for Windows:

- Two scans of file system

1. High-level scan using the Windows API

2. Raw scan using disk access methods

 

Discrepancy reveals presence of rootkits 

 

 

Ransomware

Ransomware encrypts a victim's data (local hard-disk, or networked file-system)

Attacker requests a ransom in exchange for the decryption key

e.g. Wannacry Ransomware Worm

 

 

Backdoors

A backdoor is a program that allows intruders to bypass normal security controls on a system, gaining access on intruder's own terms.

 

 

 

Malware Detection

Detects specific malicious signatures

Often uses fast pattern matching techniques

Problems:

- False negative (거짓 음성: 비정상을 정상으로 판단)

- Signature Evasion

 

Detects anomalies on a normal system/network activity

Often uses machine learning

Problems: 

- False positives (거짓 양성: 정상을 비정상으로 판단)

- Legitimate behavior could not be standard

 

 

High Cost of Errors

False Positives require expensive analysis time

False Negatives (거짓 음성: 비정상을 정상으로 판단) can be catastrophic

 

 

Signatures

Scan compares the analyzed object with a database of signatures

A signature is a virus fingerprint e.g. a string with a sequence of instructions specific for each virus

- Different from a digital signature

A file is infected if there is a signature inside its code

- Fast pattern matching techniques to search for signatures

All the signatures together create the malware database

 

 

Heuristic Analysis

Useful to identify known and unknown malware

Code analysis: based on the instructions, the anti-malware can determine whether the program is malicious or not, e.g. program contains instructions to delete system files

Execution emulation (sandbox):

- Run code in isolated emulation environment

- Monitor actions that target file takes

- If the actions are harmful, mark as virus

Heuristic methods can trigger false alarms

 

 

Quarantine

A suspicious file can be isolated in a folder or database called quarantine

- E.g. if the result of the heuristic analysis is positive and you are waiting for updates of the signatures

The suspicious file is not deleted but made harmless: the user can decide when to remove it or eventually restore it in case of a false positive

- Interacting with a file in quarantine is possible only through the antimalware program

A file in quarantine is often stored encrypted to prevent its execution

 

 

Static vs Dynamic Analysis

Static Analysis

Check the code without execution

Filtering: scan with different antimalware and check if they return same result with different name

Weeding: remove the correct part of files as junk to better identify the virus

Code analysis: check binary code to understand if it is an executable

 

Dynamic Analysis

Check the execution of codes inside a virtual sandbox

Monitor: 

- file changes

- registry changes

- processes and threads

- network ports

 

 

Responsible Disclosure

What to do if discovers a vulnerability in software: report → responsible disclosure

Companies have bug bounty programs in place to encourage responsible disclosure of vulnerabilities

Disclosure deadlines: amount of time researchers give companies to patch vulnerabilities before disclosure